More than 400m Facebook users’ data leaked: what happened and are you affected?

The phone numbers of millions of Facebook users have been exposed through open online customer databases, the company has admitted.

Facebook confirmed the breach following the discovery that more than 419 million records were being stored “over several databases” in an online server that was not password protected, according to TechCrunch.

As well as phone numbers, the records reportedly included the dates of birth and Facebook ID codes of users in countries across the globe.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

A spokesperson for the social media giant said an investigation had been launched into the data breach - described by The Guardian as “the latest example of Facebook’s past privacy lapses coming back to haunt its users”.

What happened?

On Wednesday evening, TechCrunch revealed that it had been contacted by cybersecurity analyst Sanyam Jain, of New York City-based Cyware Labs, who claimed to have discovered a series of online servers containing the personal details of Facebook users.

The records included Facebook ID numbers - a “long, unique and public number” that can “easily be used to discern an account’s username” says the tech news site.

The exposed records included 133 million linked to US-based accounts and 18 million associated with UK users, says TechRadar.

However, Facebook claims that the total number of users whose information was exposed is about 210 million, rather than 419 million, as the records contained duplicates.

Regardless of the true numbers involved, the servers, which did not belong to Facebook, were not password protected and could therefore be accessed easily by the public.

TechCrunch contacted the web host after reviewing the data and the servers were swiftly taken offline.

Jake Moore, a security expert at tech firm ESET, told Forbes that “it seems crazy that personal data of this magnitude could be on a server unprotected in 2019, but this just highlights how data gets forgotten about and mistakes can happen”.

Is this incident related to the Cambridge Analytica scandal?

Possibly. Until April 2018, Facebook allowed its users to find people on the social network by simply searching their phone number, CNN reports.

This option was removed in the wake of the Cambridge Analytica row, with Facebook claiming that “malicious actors” had abused the feature to gather information on its users.

However, The Guardian suggest that the data sets at the centre of the latest leak were created using the same tool that Facebook disabled following the Cambridge Analytica revelations.

The most recently exposed data “appeared to be loaded into the exposed database at the end of last month - though that doesn’t necessarily mean the data is new”, adds TechCrunch.

“Although often tied to human error rather than a malicious breach, data exposures nevertheless represent an emerging security problem,” the site says.

Are you affected?

The issue doesn’t appear to be a severe as the numbers suggest, so hopefully not.

Jay Nancarrow, Facebook’s policy director, told TechCrunch: “This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers.

“The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”